How To Use SPF To Protect Your Domain From Spoofing

Many business owners are currently struggling to rebuild trust in their brand. This is because at one point or another, scammers have used their domain to scam many of their unsuspecting customers and subscribers. This has created a disconnect between them and their customers. Subscribers now hesitate to trust anything that comes from their domain. So, they are now losing sales they would have otherwise closed.

This doesn’t have to happen to you. You can join other smart email marketers and business owners using SPF to protect their domain from spoofing.

Table Of Contents

With Clickable Navigation

What Is SPF?

Why Do You Need SPF?

How Does SPF Work?

What Is SPF Record?

How Do I Create An SPF Record?

How To Verify Your SPF Record

SPF Verification Result Translation

Major Components Of An SPF Record

What Is SPF?

Sender Policy Framework (SPF) is an email authentication standard. A domain owner can use SPF to inform email exchange senders that are approved to send emails from their domain.

SPF has a record containing the list of IP addresses you approve for sending emails through your domain. You can find the SPF record in the Domain Name System (DNS).

Your Email Service Provider can identify forged sender addresses. They can do this by checking the record to verify the identity of the sender. They can then penalize imitation addresses.

Why Do You Need SPF?

People can send emails from their computers and claim that they’re from any source. Spammers are taking advantage of this opportunity to forge email addresses. They’re then using them for spoofing.

They do this by disguising themselves as a trusted source. From there, they are able to deceive the email receivers into reading their messages. Spoofing is intended to make people give away their confidential information. Because of this, the people behind it damage the reputation of the email address or domain name they forge.

As an email marketer or business owner, you will lose credibility if your domain is used for sending spoofing emails.

Some spammers may send unauthorized emails through your domain as well. If they do, your domain may be flagged as spam. Emails from a flagged domain won’t be allowed into the inbox folder. This will have a negative impact on your deliverability.

Set up an SPF record for your email address or domain name. When you do this, ESPs will recognize the domain as legit and won’t flag messages from the domain as spam. Plus, it will recognize emails sent from unauthorized hosts and flag such emails as spam.

By doing this, spammers are less likely to use your domain for spoofing. This ensures you will also avoid being blacklisted. This is one sure way to ensure your emails end up in your subscribers’ inboxes instead of spam folders.

If you don’t protect your domain with SPF, your ESP may mark emails from the domain as spam. You can prevent spammers from using your domain and improve your deliverability through SPF.

How Does SPF Work?

ESP verifies your SPF record before it delivers your messages to your subscribers. It reviews the domain in the Return Path or “envelope from” in the header.

It then compares the IP address you sent the message from, to the IP addresses in the domain’s SPF record. If the address is not listed in the record, the message will fail SPF authentication.

What Is SPF Record?

An SPF record is a record of all the approved users of your domain name. Messages from IP addresses that you didn’t list on your SPF record are from spammers.

How Do I Create An SPF Record?

You must create an SPF record for your domain first before an Email Service Provider (ESP) can use the record for verification. Follow the steps below to create the record without stress:

1. Collect the IP addresses

You must first collect the IP addresses that are used to send emails through your domain. This may include organizations or individuals that use third-party mail servers to send an email on your behalf. The list should cover all your mail servers.

You can check your ISP’s mail server, an in-office mail server, or your web server as likely IP addresses to include in the SPF record. If you’re using an ESP, reach out to them to obtain your sending IP address.

2. Compile A List Of Your Sending Domains

It is possible that your company has several domains registered in its name. You may use some of these domains for sending emails while you may not use others.

Create SPF records that contain both IP addresses you use regularly and those you don’t use for mailing. This is to prevent spammers from targeting the domains you don’t use if they can’t access the ones you use regularly.

Once you have a list of the sending domains, go ahead and create the SPF record.

3. Create the Record

You can define the record you want to create as SPF. This type of version begins with the version number in this format: v = spf 1. In this case, you have the first version of an SPF record.

Once you have included the version type, list the IP addresses you wish to let use your domain for sending emails on your behalf. For instance, v = spf1 ip4: 34.243.56. 357 ip6: 3ao9: do84: 851e, and so on.

If there are third-party organizations you use for sending out emails for your brand, include them as well. For instance, include: thesenderdomain.com. By including the third party, you have empowered it to send emails on your domain name.

Once you have successfully added the include tags and IP addresses, end the record with –all or ~all tag. This tag is very important in the SPF record. This is because it determines the best way to handle a server not listed in the SPF record. If the server sends a message via your domain, the action determined by the tag will be executed on the erring server. It may mark the email as spam or reject it.

If you define your SPF record properly, it will be in this form: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e include:thirdpartydomain.com –all

When creating your SPF record, note that you can’t exceed 255 characters. But, if you must exceed the character limit while adding more IP addresses, use the include option. Add this to your SPF record this way: include: extra-1.example.com. Then create another TXT or SPF record for “extra.” Place another block of 255 characters in the new record. You can do this for as many blocks of IP addresses as you want.

You also can’t add more than 10 include tags. If you use more than the 10 DNS query limit, the record will produce an error and blank out as if you haven’t created any record.

Once you are done with the SPF record creation, publish it into the DNS.

4. Publish the SPF Record

When you publish the record into the DNS, Hotmail, Gmail, and other email service providers can have easy access to it. If your DNS provider provided you with a dashboard, use it to publish the record. Otherwise, ask the DNS provider to assist you to publish it.

If you want to publish it through your DNS manager, follow these steps:

  1. Visit your domain host provider’s website and log in to your domain account.
  2. Use the DNS management menu.
  3. Select the domain containing the records you want to change.
  4. Open the DNS Manager.
  5. Check the text section and create a TXT record.
  6. Write your domain name in the Host field.
  7. Input your SPF record in the TXT Value field.
  8. Specify the Time to Live (TTL). You may leave it at the default or enter 3600. The Time to Live refers to the lifespan of data stores in a network or a computer.
  9. Click “Add Record” or “Save” to publish the record into your DNS.

Note that it may take up to 48 hours before the record goes into effect.

If you can’t handle the publishing, contact your DNS server administrator for help. They will assist you with publishing to enable email providers to make easy reference to it.

If you are unsure of whether your ISP administers your DNS records, your IT department should be of help.

5. Test the SPF Record

When you are through with the record creation, test it. The test result will show you the list of all the servers that are authorized to use your domain to send an email. If the list doesn’t contain some of the IP addresses you authorized for sending emails, update your record.

How To Verify Your SPF Record

Your SPF record is only useful if it is valid. You can only learn its validity by running it through an SPF record testing tool.

With the tools, you can get the SPF record for your domain name and check it for validity. This includes checking whether the record has the right syntax that will make it valid. This test is important before you publish your records. If the record is not syntactically correct, it may be difficult for ESPs to reference it.

You can also test your record’s performance too. This test will cover the different IP addresses the mail may be sent from.

There are different tools for SPF record verification. They have a similar verification procedure.

There are several tools for checking an SPF record. You can use any of the tools for the verification.

The verification process follows the following format:

  • Go to the website.
  • Enter the domain name you want to check the SPF record for.
  • Click “Run Checks.”
  • Upon completion of the test, you will receive the result of the test with the list of several IP addresses.

SPF Verification Result Translation

The verification test will give you some results. These results give you a clue into your domain name’s performance.

  • None: There was no SPF record for the domain.
  • Neutral: The domain owner doesn’t want to state that it has authorized the IP address to send messages from the domain. This result receives the same treatment as the ‘None’ result. Such SPF records use the ? qualifier.
  • Pass: The IP address can send information from the domain.
  • Fail: The IP address is not authorized to use the domain.
  • SoftFail: The IP address may use the domain or may not use it.
  • TempError: There was a temporary error during the verification process. This may be caused by some technical issues during the exercise. This doesn’t imply that the SPF record is invalid.
  • PermError: The ESP can’t verify the published SPF record. This may be the result of a format or syntax error in the record itself.

Major Components Of An SPF Record

The SPF version number and some strings make up the SPF record. The strings include mechanisms, qualifiers, and modifiers.

SPF Mechanisms

The SPF record contains some mechanisms. Some of them are:

  • All: this mechanism is used for ~all and other default results. It matches for both remote and local IPs. It is usually at the SPF record’s end. Hence, the ESP should accept the message but classify it in the Soft Fail category.
  • A: the mechanism will match under the condition that the domain already has an address record that can be sent to the sender’s address. In a nutshell, it covers the IPs in the A record of the DNS. So, if someone uses your A record’s IP address to send an email, the message will pass.
  • IP4: It should match if the sender is within IPv4 address range. It may also refer to a single IPv4 address.
  • IP6: Sender in IPv6 address will make it match.
  • MX: It will also match if there is an MX record in the domain name. It covers all A and AAAA records for each of the MX records. There is a match if the email is from an IP address of the incoming mail servers of the domain.
  • EXISTS: Matching is positive if the domain name resolves to an address. This is regardless of the address the domain resolves to.
  • PTR: This specifies all the A records associated with the PTR record of each host.
  • INCLUDE: all authorized domains are specified with this mechanism.

For instance, “v=spf1 mx-all” indicates that the MX hosts of the domain should be allowed to send emails through the domain while other hosts are not allowed to do so.

SPF Qualifiers

Qualifiers are used to prefix mechanisms. There are four qualifiers. These four qualifiers are:

  • “+”: This signifies “Pass.” It informs the ESP to accept messages from the address because it passed the verification test. For example: “v=spf1+all.”
  • “-”: This is a Hard Fail: In this case, the address failed the verification test. ESP should bounce emails from such addresses.
  • “~”: Soft Fail: Although the address didn’t pass the test, there is no definitive result about it. Thus, the ESP may accept non-compliant emails and tag them. For example: “v=spf1~all”
  • “?”: The address neither passes nor fails the test. In this case, the ESP may do whatever pleases it with the address. It may accept or reject it. For example: “v=spf1?all”

Note that the “+” will be the default option if you don’t include a qualifier.

SPF Modifiers

Modifiers are added to an SPF to provide extra information about it. There are two major modifiers:

  • “Redirect” This modifier comes in handy when you have more than a domain. It’s also handy when you want to use the same SPF content on all the domains. The modifier is good if you are the one managing all the domains. Alternatively, you can use the “include” if you are not. It takes this form: redirect =some.domain.com
  • “Exp” sometimes, a matched mechanism can have a Fail qualifier. This modifier comes in handy. Its major function is to provide an explanation for such a problem.

Modifiers are usually placed after the SPF record.

SPF, DKIM, and DMARC

Do you want a fool-proof system that protects from spoofing and its negative effects? Consider using SPF with other tools such as DMARC and DKIM.

DMARC

DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance. It allows you to specify how your ESP should handle messages that appear to come from your domain.

You confirm all the domains that are allowed to send messages. DMARC provides information on how to authenticate your sender’s domain. It also helps with how to deal with suspicious emails.

It recommends three ways of handling suspicious emails. The ESP may not take any action on the email or mark it as spam. In the meantime, it keeps the message to enable it to process it better.

It may also inform the ESP to reject the email. This will help you keep your credibility. It will help ease any worries over whether someone is using your domain name for sending information.

DKIM

DKIM stands for DomainKeys Identified Mail. It is a standard that ensures the message you send out is not altered before it reaches its destination.

DKIM enables you to sign the outgoing message as coming from your domain with a unique signature. You can use this when sending emails to your subscribers. Subscribers can verify the source of the email with the signature. So, if an email claims to come from your domain, they can easily check to confirm whether you sent the message or not.

DKIM also enables ESPs to identify the source of a message and confirm whether it is valid or not.

When they receive an email, they check the DKIM header to confirm its validity. They can also determine the next line of action once they have enough information about the source.

SPF does a good job at protecting your domain from spoofing. When used together with DKIM and DMARC, they will help you block potential loopholes that spammers may want to exploit.

This will improve your domain’s credibility and boost your delivery rates.

Let’s Get In Touch

Need help setting up SPF, DKIM, or DMARC? Our Managed Services team would be happy to assist. Get in touch today!

MailMonitor Spam Tracking: The Tools You Need to Optimize Email Authentication

Email spams are common – these unsolicited messages are responsible for deteriorating the overall experience of subscribers and defaming email marketing as a whole.  The worst part about them is that they are often unavoidable and are repetitive disruptions for...

Spamhaus Zen: Simple Steps to Get Delisted

How To Get Delisted From Spamhaus Spamhaus’s primary goal is to track all spamming activities and spammers.  Learn how to get delisted from Spamhaus's blacklists. Table Of Contents With Clickable Navigation What Is Spamhaus? Understanding The ZEN Blacklist How Do...

Email Delivery Duration

MailMonitor can show when emails were delivered to each ISP.  Monitoring your email delivery helps determine if there is an issue with an ISP throttling (some ISPs will opt to delay the delivery of emails to your list when the volume passes a certain threshold)....

Just What Is SNDS Anyway?

We've received a lot of questions around SNDS lately and feel now is a great time to review what it stands for, what it does, and why it's important to your email marketing process. The Microsoft/Outlook Smart Network Data Services (SNDS) is a free service that...

Email Feedback Loops: Everything You Need to Know

What are Email Feedback Loops? Email Feedback Loops (FBL) is a dedicated service offered by some of the leading ISPs that will report back complaints to senders in the event of a subscriber hitting the spam or junk button in their inbox. This service helps senders...

Email Engagement: Everything You Need to Know for Success

Having engaged and loyal customers can seriously boost your company’s revenue, and creating an email engagement strategy will help you get there. While it's acceptable to do general mailings to your entire customer base, regardless of their engagement status, it's...

10 Ways to Keep Your Email Engagement Fresh and Optimized

Email Marketing continues to be one of the strongest, most trusted, ways for marketers and businesses to reach new customers and stay engaged with current customers.  If executed with purpose, personalized email engagements campaigns, are the most effective outlet...

How to Increase Email Open Rates: Part 1

Email open rates for marketing email campaigns are usually the first metric a business will look at to measure the effectiveness of their email marketing strategy. What is an Email Open Rate? Number of Emails Opened / Number of Emails Sent = Email Open Rate How is...

How to Increase Email Open Rates: Part 2

In part 1, some of the accuracy problems with tracking open rates were discussed. Furthermore, while open rates measure trackable opens across entire email campaigns, seed tracking offers specific metrics by email provider. This allows easy identification of where...

How to Get Your Email Marketing Strategy Ready for Black Friday

November is in full swing which means Black Friday, November 23rd to be specific, is just around the corner.  Black Friday is traditionally the busiest shopping day of the year because it kicks off the holiday season with a four-day shopping marathon starting the...